Next release of paranoia

Events happening in the community are now at Drupal community events on www.drupal.org.
Posted by greggles on March 9, 2015 at 10:40pm

I'm working on a new release of paranoia. In addition to blocking more permissions I'd like to include a feature that blocks all the import boxes that run php from the user interface (e.g. the "Import Views" box).

The issue to do that needs review and is at https://www.drupal.org/node/2313945

Once that hook is in we would need to add in a bunch more form IDs to block.

Comments

Neat! In addition to blocking

Posted by rickmanelius on March 9, 2015 at 10:52pm

Neat! In addition to blocking certain forms, is there any value in blocking particular forms from being altered? My initial sense is no, but I'd have to think through it in more detail. An obvious use case is credit card forms, but it could be equally useful in plugging holes in say a password reset form modified to email out a second password reset link.

Again, probably off topic and I'd be happy to chime in on the primary issue that needs review.

Might be interesting to also

Posted by pwolanin on March 9, 2015 at 10:55pm

Might be interesting to also include some suggestions or documentation around http://php.net/manual/en/ini.core.php#ini.disable-functions

Though that has to be in the actual .ini file.

It's tricky to draw the line,

Posted by greggles on March 10, 2015 at 2:55am

It's tricky to draw the line, but I think that's more appropriate for https://www.drupal.org/project/security_review which is about analyzing and reporting. Paranoia is more about actively blocking.

So, I committed that patch

Posted by greggles on May 19, 2015 at 9:47pm

So, I committed that patch and a handful of other features. Executing php via the views import screen is now blocked at the url level and the form level.

I'd love some verification that the current dev branch generally works. I plan to tag a new release in the next week or so.

OH, and PS - I've written a

Posted by greggles on May 19, 2015 at 9:49pm

OH, and PS - I've written a new patch that will remove other active sessions if a user changes their password. https://www.drupal.org/node/2294061

This is something that's been suggested to me from a few different angles. The basic goal is that if someone's account has been compromised, then using the password reset link and resetting your password will completely lock out a malicious user.

It seems like a worthwhile feature to have in the Paranoia module.

I've written a new patch that

Posted by mpdonadio on May 19, 2015 at 11:18pm

I've written a new patch that will remove other active sessions if a user changes their password.

This should be in core. Add a checkbox to the form(s) to do it. I think I may make the feature request for 8.1.x to do it, and come up with a patch.

Alrighty - now published at

Posted by greggles on June 1, 2015 at 5:45pm

Alrighty - now published at https://www.drupal.org/node/2498469

I've committed 2 new features so they'll get some good testing from anyone who uses the dev release.

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

AltStyle によって変換されたページ (->オリジナル) /